An area in our organisation is disputing our policy to use user-IDs (eg:
unix and other account names) as external internet mailbox addresses on
security grounds and are trying to mandate the use of a translation/alias
table. The argument is that it forms half of the user-ID/password pair,
and is leaking vital security information. In my book this pretty much
falls into the security by obscurity category, however they have latched
onto the "don't let anyone know anything more than possible" track, and it
is very hard to convince them that in this case there is little "real"
security provided by keeping user-IDs completely secret (note - we are not
publishing any lists. Just the people with whom an employee deals with and
those that have received his or her business card will have the address).
I invite people to comment on this. Please speak freely, even if you don't
agree with my view - as I would like to get a rough feel for
"best-practice" in this area, and people's current thinking.
I would appreciate it also if you could copy responses to my mailbox
com) as well as to the firewalls list (yes I am a
regular reader, but have fallen hopelesly behind since christmas - so
apologies also if some of this has been covered already - if this is so
then please feel free to point me in the direction of the appropriate